BEC/Fraud: Generic Scam attempt to Undisclosed Receipients
Detects potential generic scams by analyzing text within the email body and other suspicious signals.
Sublime rule (View on GitHub)
1name: "BEC/Fraud: Generic Scam attempt to Undisclosed Receipients"
2description: |
3 Detects potential generic scams by analyzing text within the email body and other suspicious signals.
4type: "rule"
5severity: "low"
6source: |
7 type.inbound
8
9 // undisclosed recipients
10 and any([recipients.to, recipients.bcc, recipients.cc],
11 any(., .display_name =~ "Undisclosed recipients")
12 )
13
14 // mismatched sender (from) and Reply-to
15 and any(headers.reply_to,
16 length(headers.reply_to) > 0
17 and all(headers.reply_to,
18 .email.domain.root_domain != sender.email.domain.root_domain
19 )
20 )
21
22 // generic recipient
23 and any(ml.nlu_classifier(body.current_thread.text).entities,
24 .name == "recipient" and regex.icontains(.text, "(sir|madam)")
25 )
26
27 // request made
28 and any(ml.nlu_classifier(body.current_thread.text).entities,
29 .name == "request")
30
31 // not a bec scam
32 and all(ml.nlu_classifier(body.current_thread.text).intents,
33 .name != "bec"
34 )
35
36 // negate highly trusted sender domains unless they fail DMARC authentication
37 and (
38 (
39 sender.email.domain.root_domain in $high_trust_sender_root_domains
40 and not headers.auth_summary.dmarc.pass
41 )
42 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
43 )
44 and (
45 (
46 profile.by_sender().prevalence in ("new", "outlier")
47 and not profile.by_sender().solicited
48 )
49 or (
50 profile.by_sender().any_messages_malicious_or_spam
51 and not profile.by_sender().any_false_positives
52 )
53 )
54 and not profile.by_sender().any_false_positives
55
56
57attack_types:
58 - "BEC/Fraud"
59tactics_and_techniques:
60 - "Social engineering"
61detection_methods:
62 - "Content analysis"
63 - "Header analysis"
64 - "Natural Language Understanding"
65 - "Sender analysis"
66id: "5dac401f-d3c1-5092-aba4-58ab597c702b"